Compromised Credentials: The Primary Point of Attack for Data Breaches

Organizations Should Move to an Identity-centric Approach Based on a Zero Trust Model

Recent headlines of Russia-linked hackers harvesting access credentials to infiltrate the U.S. Senate and stage lateral attacks illustrate a common tactic used by cyber criminals and state-sponsored attackers. According to the Verizon 2017 Data Breach Investigation Report, a whopping 81% of hacking-related breaches leverage either stolen, default, or weak passwords. So why are so many organizations still focusing on securing the network perimeter, instead of rethinking their core defenses by maturing their identity and access management strategies to secure applications, devices, data, and infrastructure — both on-premises and in the cloud.

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, and therefore provides the intruder with “the keys to the kingdom”. By leveraging a “trusted” identity a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks are front-ended by credential harvesting campaigns. Common methods for harvesting credentials include the use of password sniffers, phishing campaigns, or malware attacks.

To limit their exposure to these attacks, organizations need to rethink their enterprise security strategy and move to an identity-centric approach based on a Zero Trust model: never trust, but always verify a user’s identity and access credentials. This concept should be implemented with an organization’s workforce, as well as its customers, partners, privileged IT admins, and outsourced IT.

Unfortunately, many organizations still primarily use single-factor authentication (i.e., passwords) to identify a person electronically. Even though most businesses have enforced stricter password strength policies (e.g., length and reuse requirements, renewal intervals) in recent years, end users and privileged account holders often have too many passwords to remember. This makes them prone to either sharing passwords across different environments or even openly recording and storing them.

To address these problems, organizations should consider the following best practices for identity and access management that fall into four levels of maturity: ‘Good’, ‘Better’, and ‘Great’ to ‘Optimal’:

To achieve a ‘Good’ identity management posture, organizations need to establish identity assurance. This can be accomplished by consolidating identities to shrink the attack surface, leveraging Single Sign-On technology, and enforcing risk-based access. In this context, multi-factor authentication (MFA) plays an essential role. When leveraging MFA, knowing someone’s user name and password is no longer enough to assume the victim’s identity. The likelihood of a hacker gaining access to something their victim knows, something they have, and something they are, is very limited.

To transform to ‘Better’ identity and access management practices, organizations should establish so-called access zones and require access approvals to be provisioned in accordance with a user’s role. By doing so, lateral movements can be limited.

To achieve ‘Great’(ness), organizations should also enforce least privilege, limiting access rights for users to the minimum permissions they need to perform their job and ultimately provide these on a just-in-time basis. By doing so, unusual behavior can be detected before it results in a data breach.

To achieve an ‘Optimal’ identity and access management maturity status, organizations should combine all of the above with behavior-based machine learning technology and risk scoring to stop breaches in real-time based on user behavior. A machine learning engine can help detect whether the access being requested is originating from a legitimate user, or from an attacker who has compromised that users’ account.

With the help of machine learning, access profiles are automatically created based on user behavior. A risk score is then automatically assigned to each access request made by users – across cloud and on-premises applications, VPN, servers, shared account checkout, and more. If an access request is consistent with typical user behavior it presents a low risk. Factors that increase risk include access requests from atypical locations, networks, devices, or at unusual times. The user’s risk score determines whether access is granted, requires step-up authentication (e.g., enter a one-time password, which is being provisioned via SMS), or is blocked entirely.

This continuous monitoring approach would meet the requirements of Zero Trust Security, which is propagated by The National Institute of Standards and Technology (NIST), Forrester, and corporate innovators like Google.

Organizations need to recognize that perimeter-based security, which focuses on securing endpoints, firewalls, and networks, provides no protection against identity and credential-based threats. Until we start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches.

Torsten George is strategic advisory board member at vulnerability risk management software vendor, NopSec. Torsten has more than 20 years of global information security experience. He is a frequent speaker on cyber security and risk management strategies worldwide and regularly provides commentary and byline articles for media outlets, covering topics such as data breaches, incident response best practices, and cyber security strategies. Torsten has held executive level positions with RiskSense, RiskVision (formerly Agiliance), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell). He holds a Doctorate in Economics and a Diplom-Kaufmann degree.